Capstone Project:HIPPA Law
Introduction – HIPPA Law
Every American, from the beginning of life to the end, enjoys a fundamental, but not absolute, right to privacy that is deeply rooted in both tradition and law. In no area is this right more cherished or more unsettled than in protecting the confidentiality of identifiable personal health information. Notably, this is in the wake of lawmakers, policy advocates, and healthcare professionals’ struggle to balance individual privacy interests against other strong societal interests. Significantly, the protection of persons under the HIPAA rule is that any protected health information of a patient shall be held in trust by a covered entity (Confidentiality of Medical Records, 2016). However, this has not been achieved since “An estimated 17.6 million people, or about 7 percent of U.S. residents age 16 or older, were victims of at least one incident of identity theft in 2014 ( Bureau of Justice Statistics, 2019).” This discourse shall, therefore, seek to analyze the overuse of one’s medical information, the security breaches in the medical industry, and, correspondingly, the precautions that a person should take to protect themselves from identity theft.
Overuse of Medical Information
The Hippocratic Oath, dating to the fourth or fifth century B.C., requires physicians to keep secret all knowledge of individual patients. Personal health information is maintained not only by physicians but also in the records and databases of hospitals and clinics that provide treatment or diagnostic services, laboratories that perform tests, pharmacies, and insurance companies and managed care organizations to which claims are submitted, or coverage is made (Confidentiality of Medical Records, 2016). Besides, personal health data is frequently shared with universities and pharmaceutical companies for medical and health services research purposes.
Making the Medical Privacy Policy Better
Despite the privacy rule provided by HIPAA, the data of patients is not adequately protected. What is a shame is when a person visits a doctor’s office or the emergency room, the person working the window will either ask for the patient’s social security number or want the patient to give out their social security so that they can check their filed records. Ever noticed that there is not a room or a door one can close? Technology has grown over the years, and while one is giving out their personal information to get medically treated, someone can record the person with their cell phone while the person is verifying their social security number, date of birth, and address (Identity Theft, 2019). The vindictive person will then have all the information they need to pretend to be the person. Additionally, some people are so loud that everyone can hear their whole conversation. For instance, for an older adult that does not wear hearing aids and talk so loud, one can be sure that the receptionist is not thinking of their privacy.
Security Breaches in the Medical Industry
Privacy can be managed in such an instance through various means. One can be if the clerk or the patient write their social security number on a piece of paper like a post-it note. When the clerk is done, he/she gives the post-it note back to the patient, and the patient can dispose of at their own risk. Just with all the bad things going on in the world today, one does not know if the office clerk or program secretary is going to shred one’s information. Now one might have family working at the hospital or a clinic that one might go to, and it would be extremely unethical if a member of one’s family has access to one’s medical records. Arguably there are somethings that one likes to keep private. Medical facilities have made it a rule that where the patient does not have a signed or scanned copy in their medical documentation or medical release form, they legally cannot send or give out that patient’s medical records to anyone (Confidentiality of Medical Records, 2016). It just makes one wonder if the person behind the desk is going through medical files to make sure the patient has a signed released form in their file.
Statistics of Medical Breaches
The word breach sometimes just makes one’s skin crawl. When one hears of a breach in the medical field, everyone assumes that the worst has happened. “Experts estimates that data breaches cost the healthcare industry $6.2 billion, as some 79% of healthcare organizations say they were hit with two or more data breaches in the past two years, and 45%, more than five breaches.” (Higgins 2016). ” Most of those exposed fewer than 500 data records, and thus neither get reported to the US Department of Health and Human Services nor revealed to the media.” (Higgins 2016). That is a huge number, which begs the question of how does one know if they are among the unlucky ones whose information was breached?
|
Breaches of confidentiality are currently widespread from medical devices, medical records, and even government medical clearances. In some instances, breaches occur within the parameters of the present law; for example, Pharmacies in some states legally sell individual prescription records to pharmaceutical companies for use in marketing campaigns. As one now knows that pharmaceuticals companies are now pushing for these prescription saver cards for medicines like Farxiga or Invokana. While this may be great in a way because we are getting prescription for no cost and one just needs to activate the card, one also has to put in their personal information to an extent. Once one has done this, they have opened themselves to a particular company that makes the prescription drugs marketing campaigns.
Cyber Attacks- Attacks on Insulin Pumps
There have been instances of cyber attacks on patient records before. “The cyberattack in which hackers stole the names, birth dates, Social Security numbers, home addresses and other personal information of 78.8 million current and former members and employees—gave Anthem’s reputation a black eye early on. The company and the industry at large scrambled to do damage control. This led to Consumers questioning whether Anthem and other healthcare organizations could manage the volumes of data they had.” (Herman 2016). The worst part about whoever hacked this company, whether it was a person, another country like Russia or China, or even another insurance company, is that the person/persons now have access to all patients medical records from surgeries done in the past to medications one is currently taking and one’s deductibles.
Another scare that one should watch out for involves people that have diabetes. This is because Johnson & Johnson is warning that more than ten thousand patients using a specific insulin pump are targets for hackers. In a letter, the company said its Animas OneTouch Ping insulin pump has a bug causing a potential cybersecurity risk. Hackers could hijack the device and force it to deliver unauthorized, and possibly lethal, insulin doses. It is scary to think that someone in one’s community or across the world could be in control of one’s insulin levels.
Prevention or Precaution of Breaches
Unlike fingerprints, which are unique to a person and cannot be given to someone else for their use, personal data, for example, Social Security numbers, bank account or credit card number, telephone calling card number, and other valuable identifying data can be used, if they fall into the wrong hands, to profit others at the expense of the affected party. “Individual identities, called ‘fullz’ on the black market, vary in price from $1 to about $450 (converted from bitcoin) and are valued based on factors like quality, robustness, reliability, and the seller’s reputation – not unlike eBay (Abrams, 2016).” This information is enough to make one cringe. It makes one think, are we safe? Is our information safe at night or anytime? The Figure below shows how easy it is for someone to buy one’s information.
| Payment & Banking Information | Price | ||
| Credit card details | From $2 – $90 | ||
| Bank credentials | From $80 to $700 with guaranteed balance | ||
Bank transfers & check cashing | From 10% to 40% of the total | ||
| PayPal credentials | $10 & up with no guaranteed balance | ||
| Online store & payment platform credentials | From $80 to $1500 with guaranteed balance | ||
Physical (cloned) credit cards | From $190 + cost of details |
| Services & Equipment to Commit Fraud | Price |
| Card cloners | From $200 to $1000 |
| Fake ATM machines | Up to $35,000 |
| Design & publish fake online store or website | Varies based on project scope |
|
Federal Laws-Precautions after a Breach
Once this is filed, submit a copy of one’s police report to one of the credit bureaus the other two bureaus will receive the report as well and will make sure that any financial institution is aware as well. An individual should put a good contact number for a bank or Credit Company to call if they see someone is using their identity (Identity Theft, 2019). This way, when they call, you can give verification, and with your phone number, it is an extra step for security. Additionally, if one finds anything in their mail about individual accounts they did not open, and it is in their name, they should call the company and demand that those accounts be shut down.
Important Services during a Breach
Another thing one should look into is a service called Lifelock. This service monitors an individual’s financial activity as well as person information such as social security number, date of birth, home address, and mail address. Nowadays, one cannot be too safe when it comes to anything. For a person who likes to submit one’s medical claims or look at one personal insurance statement, or have access to personal online medical records, LastPass will be a useful service (Identity Theft, 2019). It is a premium password management service that stores encrypted passwords in private accounts. While LastPass is standard with a web interface, it also includes plugins and apps for many modern web browsers and includes support for bookmarklets.
Penalties for Hacking Personal Information
There are existing penalties for offenders of the privacy rule under HIPAA. “Penalties for fraud offenses may include criminal penalties, civil penalties, or both. Most criminal fraud offenses are considered felony crimes and are punishable by jail, fines, probation, or all of the above. Civil penalties may include restitution (paying the person back) or payment of substantial fines (geared to punish the behavior) (Average Identity Theft Penalties, 2015).” The federal law relating to identity theft penalties was signed into action by President Bush in 2004, and it mandates federal prison time for anyone convicted of the crime (Average Identity Theft Penalties, 2015).
It also increases the maximum jail sentence from three years to five years and increases penalties for phishing schemes, among other changes. There should be longer jail time for someone that steals another person’s identity. When one is born, we come into this world everyone having their name, and over time one works hard to build up their name and whom they become in life. It would be unfair to have a malicious person take that away. With criminals using the vital information that they need, they have everything to pretend to be someone else. Depending on how that person is, they can ruin one’s life and rack up tons of fraudulent bills. Theft is one of the fastest-growing crimes in the United States today. The Federal Trade Commission (FTC) estimates that as many as 9 million Americans have had their identities stolen each year (Identity Theft, 2019).
Legal Framework of Identity Laws
The legal framework presents questions on what punishment is enough for identity thieves. Some suggest that the criminal should pay the person/persons whose identity they stole. If, for example, this individual took $10,000-$30,000 dollars, the criminal should pay back all that money to the individual. This should be done regardless of whether it will mean that the person needs to sell things, get personal loans, or work several jobs, what is important is that everything needs to be paid back. “Each state differs in how they handle an identity theft conviction, but at the very least, the criminal will be given a misdemeanor and forced to pay back any loss suffered by the victim, whether financial or in compensation of time, and labor. As the severity of the crime increases, so too do the state identity theft penalties, ranging from prison terms up to ten years to fines numbering in the thousands of dollars (Average Identity Theft Penalties, 2019)”. There are much time and working hours that go into one having their identity stolen. The paperwork that is involved, one’s time, phone calls made to individual companies to make sure your information is not being used, and the hurt that one goes through, wondering why the theft had to happen to them.
Different laws are applied differently to identity thieves. “There are two levels of punishment for identity theft: the state level and the federal level. The federal law relating to identity theft penalties was signed into action by President Bush in 2004, and it mandates federal prison time for anyone convicted of the crime. It also increases the maximum jail sentence from three years to five years and increases penalties for phishing schemes (Identity Theft, 2019)” When the criminal is convicted, they need to have their credit monitored and have random inspections of their finances, as well as their investments. Anything that looks out of the ordinary will need to be brought in for questioning.
Cyber-attacks and hacking are severe crimes, and with advances in technology, cyber-attacks, and hacking into records or insurance, companies will only get worse. Putting someone on probation, just because it is their first offense does not seem fair. They need to serve jail time right off the bat since no normal person ever thinks about hacking or taking someone’s identity. If someone therefore hacks or steals another’s identity, they must be aware and prepared to assume the consequences of their actions. People may argue that dictating what should be justice may not serve the best interest of justice, but it should be noted that noting the implications of this problem, the harshest sentence seems practical to prevent people from committing the crime.
Victims of identity theft should be aware of the laws in their area so that they know what to expect when their case moves towards conviction. It is helpful to know what statutes are being used to measure the crime when anticipating what the outcome might be for the victim. Always report if you see something that is off or questionable. The instances when one needs to raise concerns include when one:-
- Gets a bill for medical services they did not receive;
- Is contacted by a debt collector about a medical debt they do not owe;
- See medical collection notices on their credit report that they do not recognize;
- Finds erroneous listings of office visits or treatments on their explanation of benefits (EOB);
- Is told by their health plan that they have reached their limit on benefits; or
- Is denied insurance because their medical records show a condition they do not have.
Black Market and Prices of Information
Breached records can go for pennies to hundreds of dollars, depending on the nature of the content up for sale. So, how much money do these cybercriminals make after they get hold of data? How precious is the data in monetary terms? According to Symantec’s 2020 Internet Security Threat Report, attacks on enterprises are up 12% (Cooper, 2020). A new business will fall victim to an attack every 14 seconds this year. The attacks have already generated upward of $25 million in revenue for criminals. The Sociable spoke to an array of experts to see what price cybercriminals put on different types of information. The following is a composite list:
- Personal Information (including identification number, address, birthdate) – $20 to $450
- Social Security Numbers – $1 each
- Medical Records – $20 to $50 each
- Credit Card Numbers – $2 – $5
Social security numbers were one of the most frequently exposed types of sensitive data last year and fetch a surprisingly low sum, according to Adam Stahl, Digital Marketing Specialist at Kelser Corporation. He also says medical records are one of the most valuable types of information on the black market, making healthcare organizations such a target for hackers.
Conclusion
Data Security is a significant concern for patients who provide their data in search of health. The protection of this data is under the purview of any institution trusted with an individual’s data. Privacy is paramount, and to personalize, and it is vital for every individual. Adherence to the privacy rule should not just be in the healthcare sector, but everywhere like insurance companies and banks are also impacted by these evil attacks. After reviewing the data of healthcare breaches and its impact on the lives of victims, it will be safe to state that healthcare officials should stay vigilant and careful about the protection of patients, healthcare information. Personal information and medical history are two important things to be protected under heightened security. Additionally, it will be necessary for policy advocates to review issues touching on the penalty for identity thieves. The implications of identity theft on an exclusive range from cost burdens, emotional trauma, and insecurity concerns. Would it, therefore, be appropriate for an identity thief to roam freely? As it is said, actions have consequences, and identity thieves should similarly pay for their actions.
Recommendations
Healthcare protection laws should be improved to protect electronically saved patient’s information. Training should be arranged for healthcare officials and an employee, so they can get an insight into technical risks and enable them to manage if it occurs. Employees should be hired on a loyalty basis in healthcare organizations, and strict punishments are needed to impose to regulate their activities. Strong security should be maintained to monitor the activities of healthcare workers. Enhanced and advanced network security and application security are required to avoid data breaches and further complications for the organization as well as for the patient. Encryption methods should be implemented because this is a good thing to protect the patient’s personal and medical information from any unauthorized access. Punishments stated in constitutional and universal laws are short term that is not enough to probate a criminal. Healthcare hacking laws need to be improved with extended imprisonment and fined that will be paid to the patient according to the beard loss. Government involvement in the healthcare sector needs to eliminate or should be on a small level, to protect data breach in endless ways. These recommendations help deal with privacy problems in the United States as well as across the world.
References
Abrams, Loney. www.hopesandfears.com. Novermber 10, 2016. http://www.hopesandfears.com/hopes/now/business/215517-identity-sell-on-black-market.
Average Identity Theft Penalties. (2015, August 10). Retrieved February 28, 2020, from https://enlightenme.com/identity-theft-penalties/.
Bureau of Justice Statistics. (2015, September 27). 17.6 MILLION U.S. RESIDENTS EXPERIENCED IDENTITY THEFT IN 2014. Retrieved February 28, 2020, from http://www.bjs.gov/content/pub/press/vit14pr.cfm
Confidentiality of Medical Records: A Situation Analysis and AHIMA’s Position. September 29, 2016. http://bok.ahima.org/doc?oid=60048#.V-1_AVQrJQI.
Cooper, C. (2020, February 24). Symantec Security Summary. Retrieved February 28, 2020, from https://www.symantec.com/blogs/feature-stories/symantec-security-summary
Fraud. (2019, November 22). Retrieved February 28, 2020, from http://criminal.findlaw.com/criminal-charges/fraud.html.
Herman, Bob. “http://www.modernhealthcare.com.” http://www.modernhealthcare.com. October 7, 2016. http://www.modernhealthcare.com/article/20160330/NEWS/160339997.
Higgins, Kelly Jackson. Healthcare Suffers Estimated $6.2 Billion In Data Breaches. October 4, 2016. http://www.darkreading.com/threat-intelligence/healthcare-suffers-estimated-$62-billion-in-data-breaches/d/d-id/1325482.
Identity Theft. (2019, January 24). Retrieved February 28, 2020, from http://criminal.findlaw.com/criminal-charges/identity-theft.html.
Kassner, Michael. “Cybersecurity professionals: The healthcare industry needs you.” http://www.techrepublic.com. October 5, 2016. http://www.techrepublic.com/article/cybersecurity-professionals-the-healthcare-industry-needs-you/.